In May this year, IMS research released data stating that in 2012, 900 million users will be accessing banking and payment services through their mobile phones [1]. This enormous figure reflects the evolution of consumer activity from the high street bank, through to the PC and on to the smartphone, and yet there is little to no education for users on the risks involved in accessing banking data through their mobile phone. So while the last few years have focused on educating the public about banking, shopping and online activity through their PCs, the mobile phone is a new arena where operators need to step up and educate users on protecting their personal data on the go.
Many consumers assume that operators pre-load security functionality on handsets, and indeed, when purchasing a mobile phone, consumers are offered insurance for loss or theft of the handset, but not in relation to mobile security. Indeed, McAfee's 2008 Mobile Security report identified that 72% of mobile users were concerned about the level of security services for their mobile phones [2], which shows that it is still a topic that remains less prominent, but just as prevalent, as PC security. With the advancements of the mobile phone, come the additional tasks of protecting information stored and accessed via the device.
While the meaning of "security" hasn't changed much over time, its context has evolved at a frightening pace, with more and more risks making themselves ever present in consumers' everyday lives. Prominently reported in the news, there have been several stories already this year of confidential information being accessed and taken out of the workplace through employees' devices. Indeed, a recent survey by Decipher Inc found that "70% of those questioned said they access what they consider to be sensitive data on their smartphone in order to work outside the office" [3]. While the mobile phone is not a new arena for security threats, it is still hugely overshadowed by the traditional areas of threats to home, work and personal computers. With record numbers of spam hitting consumers' mobiles on an hourly basis, its time to shift the focus from the online world to the personal realm of mobile communication.
For consumers the mobile phone has opened up a world of new possibilities. Mobile subscribers can now use their mobile phone for a host of activities - be it paying or accessing bank details, purchasing cinema and concert tickets, travelling around cities or accessing social networking sites such as Facebook. All these tools are aimed at making consumers' lives easier while on the move. However, with all the progress that has been made, there is still very little information available for the mobile user on protecting against the same dangers that would be second nature to them while working on a PC.
So what areas are mobile users most at risk from?
1 Unwanted SMS
2 Spam text
3 Messaging-borne spyware and malware
4 MMS threats
Unwanted SMS
One of the most prevalent security risks for mobile users, and one universally recognised now, is unwanted SMS. Most users would recognise unwanted advertising, or in worse scenarios, unwanted and malicious messages. With an estimated 72% of all mobile phone subscribers worldwide being active users of SMS, each is at risk from several forms of SMS abuse, from unwanted advertising, denial-of-service attacks in the form of SMS flooding or scam messages encouraging subscribers to make premium rate calls.
Spam Text
Global SMS spam levels continue to rise at a frightening pace. In March this year, China saw an unprecedented influx of spam messages with 200 million China Mobile subscribers hit [4]. What makes it easy for spammers is the low price of SMS, meaning users can be targeted outside their own country. However, with mobile marketing becoming ever more popular, application-to-person SMS is gradually becoming more and more common as advertisers aim to reach audiences through different channels.
Messaging-borne spyware and malware
Spyware and malware are one of the most malicious formats of mobile threats. Users can be targeted through a message containing a URL or Web link which once clicked, downloads a virus or application with a hidden piece of code to the handset. The most common strain of Trojan targets the user's address book, which then infects all contacts with the same virus, and the pattern repeats itself. Small businesses in particular are at risk as they are more likely to be using smartphones with unsecured e-mail clients. Additionally, the arbitrators of the Trojans use fake mobile accounts that cannot be billed to a single operator, meaning there is a huge volume of messaging traffic that no one is paying for which makes them very hard to trace.
MMS threats
Despite currently being less prominent than SMS in attacking mobile users, malicious MMS messages are a threat for users with Bluetooth. The virus, once installed on a device, can replicate itself through the Bluetooth application, again through the address book on the phone. The user is then charged for the huge volume of messaging that has taken place unbeknown to the user, as well as draining the battery of the phone. However, MMS threats can be more easily controlled through disabling the Bluetooth function when not in use.
The cure?
So what can consumers do to prevent these threats? Firstly, more education is required from the operators and network providers - 55% of users expect mobile operators to preload mobile security functionality to all handsets [5], and with PC security readily available, the lack of knowledge for mobile users means assumptions are made by users because information is not readily available. With high-profile events fast approaching, a step towards educating users is well overdue.
Secondly, the mobile operators need to heed their advice and deploy mobile security tools and services to ensure their subscribers are protected. For under 18s and other vulnerable users, a mobile operator can empower parents to control who can contact their children and the types of content they are willing to receive. This can be done through content controls which allow parents to prevent children from accessing inappropriate Web and WAP sites, receiving unwanted and unsolicited messages such as phishing attempts, bullying and harassment, pornographic images by MMS, or subscriptions to unwanted premium rate messaging services.
For corporate organisations, operators can not only provide subscribers with the means to enforce corporate usage policies (ensuring Mobile Data compliance to existing LAN acceptable use policies) but can also extend this capability from Internet access to embrace messaging and safeguard users from spam, phishing and virus attacks, while also protecting the operator's network.
However, it is not only the end-users who need protecting. The mobile operators' networks are also affected by SMS fraud leading to revenue loss between operators. Studies of operator traffic show that typically 1% to 2% of all traffic carried may be spoofed or faked, which for the large messaging volumes carried, result in direct costs.
Growing mobile messaging and data revenues depends upon the growth of accessible mobile content. However without controls, users are potentially subject to harassment, unsolicited messaging, inappropriate content and fraud. Unless addressed, these concerns will inhibit the growth of mobile phone penetration in new segments, and the usage of messaging and data. Without the ability to preserve privacy through managing content and access, a user has one choice - suffer or switch off the service.
1 http://www.imsresearch.com/members/pr.asp?X=491
2 McAfee Mobile Security Report 2008
3 http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1322575,00.html
4 http://www.sophos.com/pressoffice/news/articles/2008/03/china_sms.html
5 McAfee Mobile Security Report 2008
Share